Email Harvesting Tutorial using Metasploit for Penetration testing

Email Harvesting Tutorial using Metasploit

Harvesting mails online is something which all ethical hacker require .The simplest method involves spammers purchasing or trading lists of email addresses from other spammers . But being etchical hackers you might need to get mail lists .Another common method is the use of special software known as “harvesting bots” or “harvesters”, which spider Web pages, postings on Usenet, mailing list archives, internet forums and other online sources to obtain email addresses from public data.

Harvesting emails is process of collecting the mail address present online that can be located using search engines . It is the process of obtaining lists of email addresses using various methods for use in bulk email or other purposes usually grouped as spam.

Email harvesting is also used by hackers to spam their RAT’s and create large botnets . Phishing campaigns are also run using the publicly available email addresses .

This technique therefore is an important task to be performed during a penetration test . We will be using our favorite Metasploit framework to perform an email harvesting .

How to Perform Email Harvesting using Metasploit :

Start by opening a terminal and just type msfconsole to start Metasploit for mail Harvesting Tutorial using Metasploit.

msfconsole

Email Harvesting Tutorial using Metasploit

Now to look for an exploit that can help you with email harvesting , type search collector .

search collector

This might take some time depending on the machine you use .
When you see the search has completed , you must see something similar as in the below screenshot .

Now you need to use one of the exploits available . I prefer search_email_collector to perform the email harvesting attack .

use gather/search_email_collector

Now I will configure this exploit to make it useful for our purpose . To see what all I need to configure in this exploit just type :

show options

This is what you must see :

Email Harvesting Tutorial using Metasploit

The Two main options to look at here are :

DOMAIN and OUTFILE .

The Domain specifies the domain for which the email addresses will be harvested . OUTFILE is the output file that will be created in your root folder with all the email address in it .

Now I will configure this exploit to suit my needs . Since this is not a professional penetration test , I will use a free web domain to harvest emails . My choice is Yahoo.com . Now I must get the email addresses on domain yahoo.com in my email list that can be harvested online .

To do so type the following :

set DOMAIN yahoo.com
set OUTFILE yahoo-list.txt

To check if I did all right type :

show options

See the below screenshot for reference :

Seems all is good and we are set to do some email harvesting . To start the exploit to run just type EXPLOIT !!

exploit

This must create the email list in .txt format . This will have all the emails that have been harvested for Yahoo.com .
Enjoy email harvesting !!

I hope you all have enjoyed the email harvesting tutorial using metasploit by Hackingloops.